A CAA lookup asks DNS for a certificate authority policy. Use it when you need to confirm certificate issuance control and CA authorization troubleshooting.

Run a CAA lookup

dig example.com CAA

In DigLookup.com, enter the name, choose the record type, and read the answer section. The answer is the value DNS is currently publishing through public resolvers.

Example answer

example.com.    300    IN    CAA    0 issue "letsencrypt.org"

What to check

  • The name is exactly right. A lookup for the root domain is different from a lookup for a subdomain.
  • The TTL is reasonable for the stage of the change. Short TTLs help migrations; long TTLs can preserve old answers.
  • The returned value matches the source of truth from the hosting provider, email provider, certificate authority, or DNS platform.
  • The answer is visible from more than one resolver if the change is meant to be public.

Common mistakes

  • Checking the wrong record type and assuming DNS is broken when only that type is absent.
  • Forgetting that DNS dashboards show intended configuration, while dig shows the published answer.
  • Expecting a DNS change to appear everywhere before old resolver caches have expired.